Display name impersonation using recipient SLD

calendar Apr 23, 2024  ยท
Share on: linkedin copy

The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.

Sublime rule (View on GitHub)

 1name: "Display name impersonation using recipient SLD"
 2description: |
 3  The recipient domain's SLD is used in the sender's display name
 4  in order to impersonate the organization.   
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    // recipient SLD is being impersonated in the display name
11    (
12      // these are usually targeted with just 1 recipient,
13      // but sometimes they CC themselves or have a blank CC
14      length(recipients.to) + length(recipients.cc)
15   + length(recipients.bcc) <= 2
16      and any(recipients.to,
17              length(.email.domain.sld) >= 4
18              and 
19              // ensure that we're checking the org SLD
20              .email.domain.sld in $org_slds
21              and strings.icontains(sender.display_name, .email.domain.sld)
22      )
23    )
24    or (
25      // accounts for BCC'd messages where the recipients are empty
26      // if BCC, sometimes the recipient will be the attacker's email
27      length(recipients.to) + length(recipients.cc)
28   + length(recipients.bcc) <= 2
29      and length(mailbox.email.domain.sld) >= 4
30      and strings.icontains(sender.display_name, mailbox.email.domain.sld)
31    )
32  )
33  and (
34    // at least 1 link or non-image attachment
35    (
36      length(body.links) > 0
37      // these attacks all use compromosed senders, so we look for a domain
38      // that doesn't match the sender's domain to weed out legit messages
39      and any(body.links,
40              .href_url.domain.root_domain != sender.email.domain.root_domain
41      )
42    )
43    or length(filter(attachments, .file_type not in $file_types_images)) > 0
44  )
45  and not (
46    strings.contains(sender.display_name, "on behalf of")
47    and sender.email.domain.root_domain == "microsoftonline.com"
48  )
49  and all(recipients.to,
50          .email.email != sender.email.email
51          and (
52            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
53          )
54  )
55  
56  // negate org domain senders, which can often be misconfigured and fail
57  // authentication, causing them to be type.inbound instead of type.internal.
58  // this is fine because we should catch spoofs in other ways.
59  // also, we use root_domain here to account for subdomains used by internal tools that aren't connected to the tenant.
60  // this should also be safe because domains like onmicrosoft[.]com are tracked as FQDNs in $org_domains, so they won't match
61  and sender.email.domain.root_domain not in $org_domains
62  
63  // negate highly trusted sender domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and not headers.auth_summary.dmarc.pass
68    )
69    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
70  )
71  and (
72    (not profile.by_sender().solicited)
73    or (
74      profile.by_sender().any_messages_malicious_or_spam
75      and not profile.by_sender().any_false_positives
76    )
77  )
78  and not profile.by_sender().any_false_positives  
79
80attack_types:
81  - "Credential Phishing"
82tactics_and_techniques:
83  - "Social engineering"
84detection_methods:
85  - "Header analysis"
86  - "Sender analysis"
87id: "81a8ed12-0e26-5998-90ae-03334f358704"
to-top